initial_access_suspicious_file_delivery_via_html_smuggling.yml

name: Suspicious file delivery via HTML smuggling
id: b93b5203-78da-4ffa-9b9d-4bd50b3eca1c
version: 1.0.0
description: |
  Detects suspicious file delivery via HTML smuggling, a phishing technique 
  where malicious payloads are embedded inside HTML files and reconstructed 
  on the victim system using browser-side JavaScript.
  Adversaries abuse spearphishing attachments for initial access while bypassing
  traditional email and network-based security controls.
labels:
  tactic.id: TA0001
  tactic.name: Initial Access
  tactic.ref: https://attack.mitre.org/tactics/TA0001/
  technique.id: T1566
  technique.name: Phishing
  technique.ref: https://attack.mitre.org/techniques/T1566/
  subtechnique.id: T1566.001
  subtechnique.name: Spearphishing Attachment
  subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/
references:
  - https://www.ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript

condition: >
  sequence
  maxspan 45s
  by ps.name
    |spawn_process and
     ps.parent.name ~= 'explorer.exe' and ps.name iin web_browser_binaries and
     (ps.args iin ('-url', '--single-element') or (ps.name ~= 'iexplore.exe' and length(ps.args) = 2)) and
     ps.cmdline imatches
                (
                  '*?:\\Users\\*\\Downloads\\*.htm*',
                  '*?:\\Users\\*\\AppData\\Local\\Temp\\*.htm*',
                  '*?:\\Users\\*\\Content.Outlook\\*.htm*'
                )
    |
    |create_file and
     file.extension iin ('.exe', '.iso', '.zip', '.rar', '.7z', '.img', '.vhd', '.js', '.bat',
                         '.com', '.vbs', '.vbe', '.ps1', '.wsh', '.hta', '.cpl', '.jse', '.scr') and
     file.path imatches '?:\\Users\\*\\Downloads\\*'
    |
action:
  - name: kill

severity: high

min-engine-version: 3.0.0